/***************************************************************************
 *   Copyright (C) 2012 by Timothy Pearson                                 *
 *   kb9vqf@pearsoncomputing.net                                           *
 *                                                                         *
 *   This program is free software; you can redistribute it and/or modify  *
 *   it under the terms of the GNU General Public License as published by  *
 *   the Free Software Foundation; either version 2 of the License, or     *
 *   (at your option) any later version.                                   *
 *                                                                         *
 *   This program is distributed in the hope that it will be useful,       *
 *   but WITHOUT ANY WARRANTY; without even the implied warranty of        *
 *   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the         *
 *   GNU General Public License for more details.                          *
 *                                                                         *
 *   You should have received a copy of the GNU General Public License     *
 *   along with this program; if not, write to the                         *
 *   Free Software Foundation, Inc.,                                       *
 *   59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.             *
 ***************************************************************************/

#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <pwd.h>

#include <kapplication.h>
#include <kstartupinfo.h>
#include <kcmdlineargs.h>
#include <kaboutdata.h>

#include <ksimpleconfig.h>

#include <tqdatetime.h>
#include <tqfile.h>

#include <libtdeldap.h>

// FIXME
// Connect this to CMake/Automake
#define KDE_CONFDIR "/etc/trinity"

static const char description[] =
	I18N_NOOP("TDE utility for updating realm certificates");

static const char version[] = "v0.0.1";

int uploadKerberosCAFileToLDAP(LDAPManager* ldap_mgr, TQString* errstr) {
	// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
	TQFile cafile(KERBEROS_PKI_PEM_FILE);
	if (cafile.open(IO_ReadOnly)) {
		TQByteArray cafiledata = cafile.readAll();
		if (ldap_mgr->writeCertificateFileIntoDirectory(cafiledata, "publicRootCertificate", errstr) != 0) {
			return -1;
		}
		return 0;
	}
	return -1;
}

int main(int argc, char *argv[])
{
	TDEAboutData aboutData( "primaryrccertupdater", I18N_NOOP("Realm Certificate Updater"),
		version, description, TDEAboutData::License_GPL,
		"(c) 2012, Timothy Pearson");
		aboutData.addAuthor("Timothy Pearson",0, "kb9vqf@pearsoncomputing.net");
	TDECmdLineArgs::init( argc, argv, &aboutData );
	TDEApplication::disableAutoDcopRegistration();

	TDEApplication app(false, false);

	TDEStartupInfo::appStarted();

	//======================================================================================================================================================
	//
	// Updater code follows
	//
	//======================================================================================================================================================

	// FIXME
	// This assumes Debian!
	TQString m_ldapUserName = "openldap";
	TQString m_ldapGroupName = "openldap";

	KSimpleConfig* m_systemconfig = new KSimpleConfig( TQString::fromLatin1( KDE_CONFDIR "/ldap/ldapconfigrc" ));
	LDAPRealmConfigList m_realmconfig = LDAPManager::readTDERealmList(m_systemconfig, false);
	// Load cert config
	m_systemconfig->setGroup("Certificates");
	LDAPCertConfig m_certconfig;
	m_certconfig.countryName = m_systemconfig->readEntry("countryName");
	m_certconfig.stateOrProvinceName = m_systemconfig->readEntry("stateOrProvinceName");
	m_certconfig.localityName = m_systemconfig->readEntry("localityName");
	m_certconfig.organizationName = m_systemconfig->readEntry("organizationName");
	m_certconfig.orgUnitName = m_systemconfig->readEntry("orgUnitName");
	m_certconfig.commonName = m_systemconfig->readEntry("commonName");
	m_certconfig.emailAddress = m_systemconfig->readEntry("emailAddress");
	// Load other defaults
	m_systemconfig->setGroup(NULL);
	TQString m_defaultRealm = m_systemconfig->readEntry("DefaultRealm");

	TQDateTime certExpiry;
	TQDateTime now = TQDateTime::currentDateTime();
	TQDateTime soon = now.addDays(7);	// Keep in sync with src/ldapcontroller.cpp

	TQString kdc_certfile = KERBEROS_PKI_KDC_FILE;
	kdc_certfile.replace("@@@KDCSERVER@@@", m_realmconfig[m_defaultRealm].kdc);
	TQString ldap_certfile = LDAP_CERT_FILE;
	ldap_certfile.replace("@@@ADMINSERVER@@@", m_realmconfig[m_defaultRealm].admin_server);

	// Certificate Authority
	if (TQFile::exists(KERBEROS_PKI_PEM_FILE)) {
		certExpiry = LDAPManager::getCertificateExpiration(KERBEROS_PKI_PEM_FILE);
		if (certExpiry >= now) {
			printf("Certificate %s expires %s\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii(), certExpiry.toString().ascii()); fflush(stdout);
		}
		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
			printf("Regenerating certificate %s...\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
			LDAPManager::generatePublicKerberosCACertificate(m_certconfig);
		
			TQString realmname = m_defaultRealm.upper();
			LDAPCredentials* credentials = new LDAPCredentials;
			credentials->username = "";
			credentials->password = "";
			credentials->realm = realmname;
			LDAPManager* ldap_mgr = new LDAPManager(realmname, "ldapi://", credentials);
		
			// Upload the contents of KERBEROS_PKI_PEM_FILE to the LDAP server
			TQString errorstring;
			if (uploadKerberosCAFileToLDAP(ldap_mgr, &errorstring) != 0) {
				printf("[ERROR] Unable to upload new certificate to LDAP server!\n\r%s\n\r", errorstring.ascii()); fflush(stdout);
			}

			delete ldap_mgr;
		}
	}
	else {
		printf("[WARNING] Certificate file %s not found!\n\r", TQString(KERBEROS_PKI_PEM_FILE).ascii()); fflush(stdout);
	}

	// Kerberos
	if (TQFile::exists(kdc_certfile)) {
		certExpiry = LDAPManager::getCertificateExpiration(kdc_certfile);
		if (certExpiry >= now) {
			printf("Certificate %s expires %s\n\r", kdc_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
		}
		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
			printf("Regenerating certificate %s...\n\r", kdc_certfile.ascii()); fflush(stdout);
			LDAPManager::generatePublicKerberosCertificate(m_certconfig, m_realmconfig[m_defaultRealm]);
		}
	}
	else {
		printf("[WARNING] Certificate file %s not found!\n\r", kdc_certfile.ascii()); fflush(stdout);
	}

	// LDAP
	if (TQFile::exists(ldap_certfile)) {
		certExpiry = LDAPManager::getCertificateExpiration(ldap_certfile);
		if (certExpiry >= now) {
			printf("Certificate %s expires %s\n\r", ldap_certfile.ascii(), certExpiry.toString().ascii()); fflush(stdout);
		}
		if ((certExpiry < now) || ((certExpiry >= now) && (certExpiry < soon))) {
			printf("Regenerating certificate %s...\n\r", ldap_certfile.ascii()); fflush(stdout);
			uid_t slapd_uid = 0;
			gid_t slapd_gid = 0;
		
			// Get LDAP user uid/gid
			struct passwd *pwd;
			pwd = getpwnam(m_ldapUserName);
			slapd_uid = pwd->pw_uid;
			slapd_gid = pwd->pw_gid;
		
			LDAPManager::generatePublicLDAPCertificate(m_certconfig, m_realmconfig[m_defaultRealm], slapd_uid, slapd_gid);
		}
	}
	else {
		printf("[WARNING] Certificate file %s not found!\n\r", ldap_certfile.ascii()); fflush(stdout);
	}

	delete m_systemconfig;

	//======================================================================================================================================================

	return 0;
}